summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'nettle-master-gostdsa' into 'master'Nikos Mavrogiannopoulos2020-01-319-30/+88
|\ | | | | | | | | nettle/gost: support use GOST DSA support from master branch See merge request gnutls/gnutls!1183
| * nettle/gost: support use GOST DSA support from master branchDmitry Baryshkov2020-01-309-30/+88
| | | | | | | | | | | | Use GOST DSA and GOST curves provided by Nettle's master branch. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | Merge branch 'fix-pkcs12-iter' into 'master'Dmitry Baryshkov2020-01-281-0/+3
|\ \ | | | | | | | | | | | | pkcs12: do not go try calculating pbkdf2 with 0 iterations See merge request gnutls/gnutls!1182
| * | pkcs12: do not go try calculating pbkdf2 with 0 iterationsDmitry Baryshkov2020-01-281-0/+3
| |/ | | | | | | | | | | | | Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to GnuTLS PKCS12 GOST code to check that iter is not 0. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | add support for local threads with studio and ibm compilersBjoern Jacke2020-01-271-1/+1
|/ | | | Signed-off-by: Bjoern Jacke <bjacke@samba.org>
* key shares: avoid using internal errorsNikos Mavrogiannopoulos2020-01-251-10/+10
| | | | | | | | | On unknown curves or illegal parameters, make sure we return the right error code which will translate to the appropriate alert. Resolves: #907 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* lib/nettle/gost: restore compatibility with nettle masterDmitry Baryshkov2020-01-243-0/+73
| | | | | | Use newer format of ecc curve data if curve448 support is detected. Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Merge branch 'legacy-gost-512' into 'master'Nikos Mavrogiannopoulos2020-01-241-0/+4
|\ | | | | | | | | x509: include digestParamSet into GOST 512-bit curves A and B params See merge request gnutls/gnutls!1173
| * x509: include digestParamSet into GOST 512-bit curves A and B paramsDmitry Eremin-Solenikov2020-01-201-0/+4
| | | | | | | | | | | | | | | | Old implementations do not understand PublicKeyParams with omitted digestParamSet. So include the field for old 512-bit curves to improve compatibility with old implementations. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | Merge branch 'tmp-ed448' into 'master'Daiki Ueno2020-01-2423-52/+398
|\ \ | | | | | | | | | | | | algorithms: implement X448 key exchange and Ed448 signature scheme See merge request gnutls/gnutls!984
| * | algorithms: implement X448 key exchange and Ed448 signature schemeDaiki Ueno2020-01-2322-52/+348
| | | | | | | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
| * | nettle: vendor in Curve448 and Ed448 implementationDaiki Ueno2020-01-231-0/+50
| |/ | | | | | | Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'fix-gost-pkcs12' into 'master'Dmitry Baryshkov2020-01-201-1/+1
|\ \ | | | | | | | | | | | | pkcs12: use correct key length when using STREEBOG-512 See merge request gnutls/gnutls!1171
| * | pkcs12: use correct key length when using STREEBOG-512Dmitry Baryshkov2020-01-201-1/+1
| |/ | | | | | | | | | | | | | | | | PKCS#12 files using GOST HMAC (GOST R 34.11-94 and Streebog) use special function to generate MAC key. Pass correct key length (fixed to be 32) when generating PKCS#12 files protected with Streebog (currently it incorrectly uses 64 there). Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* | Merge branch 'tmp-tls13-ocsp' into 'master'Nikos Mavrogiannopoulos2020-01-205-2/+33
|\ \ | | | | | | | | | | | | | | | | | | tls13: fix issues with client OCSP responses Closes #876 See merge request gnutls/gnutls!1169
| * | tls13: request OCSP responses as a serverNikos Mavrogiannopoulos2020-01-201-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The TLS1.3 protocol requires the server to advertise an empty OCSP status request extension on its certificate verify message for an OCSP response to be sent by the client. We now always send this extension to allow clients attaching those responses. Resolves: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | tls13: do not send OCSP responses as client without server requestingNikos Mavrogiannopoulos2020-01-155-2/+17
| |/ | | | | | | | | | | | | | | | | In client side ensure we see a request for OCSP from servers before sending one. Relates: #876 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | x509: add OGRNIP DN entry definition used by qualified GOST certificatesDmitry Baryshkov2020-01-201-0/+2
|/ | | | Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
* Merge branch 'override-default-priority' into 'master'Nikos Mavrogiannopoulos2020-01-131-2/+31
|\ | | | | | | | | libgnutls: Add system-wide default-priority-string override. See merge request gnutls/gnutls!1158
| * libgnutls: Add system-wide default-priority-string override.Dimitri John Ledkov2020-01-131-2/+31
| | | | | | | | Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
* | lib: fix _kx_priority_gost termination itemDmitry Eremin-Solenikov2020-01-131-0/+1
| | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | Merge branch 'gost-priorities' into 'master'Dmitry Eremin-Solenikov2020-01-121-54/+84
|\ \ | | | | | | | | | | | | Extend GOST priority settings and documentation See merge request gnutls/gnutls!1160
| * | priority: make priority matching less error-proneDmitry Eremin-Solenikov2020-01-101-67/+34
| | | | | | | | | | | | | | | | | | | | | | | | To remove possibility of using wrong length or using strncasecmp() instead of c_strncasecmp() define PRIO_MATCH(name) macro taking care about all details. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | priority: add new GOST-ALL shortcutDmitry Eremin-Solenikov2020-01-101-0/+12
| | | | | | | | | | | | | | | | | | | | | Add GOST-ALL as an alias for CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL, SIGN-GOST-ALL and GROUP-GOST-ALL. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | priority: add more GOST shortcutsDmitry Eremin-Solenikov2020-01-091-10/+47
| | | | | | | | | | | | | | | | | | | | | | | | Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only one item, but this list will be expanded as support for GOST-CTR-ACPKM ciphersuites will be added. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | lib/priority: add SIGN-GOST-ALL keywordDmitry Eremin-Solenikov2020-01-091-0/+14
| | | | | | | | | | | | | | | | | | | | | Add SIGN-GOST-ALL keyword containing all defined GOST signature algorithms. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | lib/priority: use c_strncasecmp() for string comparisonDmitry Eremin-Solenikov2020-01-081-12/+12
| | | | | | | | | | | | | | | | | | | | | Use c_strncasecmp() instead of just strncasecmp() which can be affected by locale. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
| * | priority: fix GROUP-GOST-ALL comparison lengthDmitry Eremin-Solenikov2020-01-081-1/+1
| | | | | | | | | | | | Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | | Merge branch 'fix-fips-gost' into 'master'Dmitry Eremin-Solenikov2020-01-121-2/+2
|\ \ \ | | | | | | | | | | | | | | | | Fix tests execution when FIPS mode is compiled but not enforced. See merge request gnutls/gnutls!1164
| * | | pk: set generated key algo before calling pct_testDmitry Eremin-Solenikov2020-01-101-2/+2
| | |/ | |/| | | | | | | | | | | | | | | | | | | In wrap_nettle_pk_generate_keys() set params->algo before calling pct_test() as GOST sign/verify use that field. Reported-by: Daiki Ueno Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
* | | Merge branch 'tmp-ocsp-revocation' into 'master'Daiki Ueno2020-01-101-0/+8
|\ \ \ | |/ / |/| | | | | | | | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation See merge request gnutls/gnutls!1159
| * | ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocationDaiki Ueno2020-01-101-0/+8
| |/ | | | | | | | | | | | | | | | | This makes the OCSP based certificate verification adhere to the convention used throughout the library: "The 'GNUTLS_CERT_INVALID' flag is always set on a verification error and more detailed flags will also be set when appropriate." Signed-off-by: Daiki Ueno <dueno@redhat.com>
* | Merge branch 'tmp-fix-doc' into 'master'Tim Rühsen2020-01-091-1/+1
|\ \ | | | | | | | | | | | | | | | | | | doc: clarify thread safeness in gnutls_global_init() [ci skip] Closes #900 See merge request gnutls/gnutls!1162
| * | doc: clarify thread safeness in gnutls_global_init()Nikos Mavrogiannopoulos2020-01-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This documents and clarifies the thread safeness of gnutls_global_init() and its constraints. Resolves: #900 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
* | | Merge branch 'tmp-ocsp-check' into 'master'903-add-crl-and-crq-fuzzersNikos Mavrogiannopoulos2020-01-098-38/+59
|\ \ \ | |/ / |/| | | | | | | | | | | | | | Provide flag to identify sessions that an OCSP response was requested Closes #829 See merge request gnutls/gnutls!1131
| * | gnutls_ocsp_status_request_is_checked: mark explicitly as unsigned the ↵Nikos Mavrogiannopoulos2019-12-162-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | return type Also some documentation updates. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| * | Provide flag to identify sessions that an OCSP response was requestedNikos Mavrogiannopoulos2019-12-157-33/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | That adds the flag GNUTLS_SFLAGS_CLI_REQUESTED_OCSP which can be checked by a server application to determine whether the client has requested stapled OCSP responses. This includes minor cleanups in the status request handling code. Resolves: #829 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | Merge branch 'tmp-check-dup-extensions' into 'master'Nikos Mavrogiannopoulos2020-01-093-34/+91
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | x509: reject certificates having duplicate extensions Closes #887 See merge request gnutls/gnutls!1145
| * | gnutls_x509_crt_get_extension_info: optimize when critical equals NULLNikos Mavrogiannopoulos2020-01-031-9/+9
| | | | | | | | | | | | | | | | | | | | | That is, do not perform the look ups necessary to calculate the value when it will not be used. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| * | x509: reject certificates having duplicate extensionsNikos Mavrogiannopoulos2020-01-033-25/+82
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to RFC5280 a certificate must not include more than one instance of a particular extension. We were previously printing warnings when such extensions were found, but that is insufficient to flag such certificates. Instead, refuse to import them. Resolves: #887 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* | | Merge branch 'estanglerbm-getrandom' into 'master'Nikos Mavrogiannopoulos2020-01-051-1/+6
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Fixes dummy getrandom() when errno = EAGAIN. Closes #892 See merge request gnutls/gnutls!1150
| * | | Fixes dummy getrandom() when errno = EAGAIN.Edward Stangler2020-01-031-1/+6
| |/ / | | | | | | | | | | | | | | | Fixes #892. Signed-off-by: Edward Stangler <estangler@bradmark.com>
* | | Fix NULL ptr access in _gnutls_iov_iter_next()Tim Rühsen2020-01-031-0/+6
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | Fix "left shift cannot be represented in type 'int'" in hello_ext.[ch]Tim Rühsen2020-01-032-3/+3
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | status_request.c: Silence -Wsign-compareTim Rühsen2020-01-031-1/+1
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | rnd-fuzzer.c: Suppress shift sanitization checkTim Rühsen2020-01-031-0/+2
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | handshake.c: Suppress warning in fuzzing buildTim Rühsen2020-01-031-0/+1
| | | | | | | | | | | | Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | | Fix implicit value change in verify-high.cTim Rühsen2020-01-031-10/+10
|/ / | | | | | | | | | | | | | | | | verify-high.c:284:7: runtime error: implicit conversion from type 'size_t' (aka 'unsigned long') of value 15421545260338 418178 (64-bit, unsigned) to type 'uint32_t' (aka 'unsigned int') changed the value to 437555714 (32-bit, unsigned) Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
* | Merge branch 'gost-split-5' into 'master'Dmitry Eremin-Solenikov2019-12-296-8/+71
|\ \ | | | | | | | | | | | | Workaround for SChannel limitations See merge request gnutls/gnutls!1138
| * | SignatureAlgorithms: force-enable GOST signatures for GOST KXDmitry Eremin-Solenikov2019-12-286-8/+71
| | | | | | | | | | | | | | | | | | | | | | | | SChannel-based clients can not send GOST identifiers as a part of SignatureAlgorithms extension. To mitigate this forcefully enable GOST signature algorithms if client sends GOST ciphersuite. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
View Lorry Controller Status